Date: Sun, 17 Sep 2017 18:23:44 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Alexander Batischev <eual.jp@...il.com>
Subject: Re: Podbeuter podcast fetcher: remote code execution
On Sun, Sep 17, 2017 at 09:59:11AM -0600, Kurt Seifried wrote:
> many orgs (probably not open source distros run by
> volunteers, but more big corps) literally do have a clock start ticking
> when a CVE comes to light
I think that's not a reason to delay disclosing an issue to everyone
else until there's a CVE ID. If those orgs have such poor, limited, or
maybe cost-saving processes (saving on not needing to bother with issues
lacking CVE IDs, no matter how serious), it's their problem and their
users'. They deliberately put themselves at a competitive disadvantage.
So be it. This only reaffirms me in my suggested approach: public
disclosure first, CVE next. So those big corps will have a reason to
fix the issues anyway, just with their self-imposed delay.
Alexander